1 Answer
1

You can run an exhaustive search on the possible plaintexts. No padding means no randomness; encryption is deterministic, so you can "try" plaintexts and see if one matches the encrypted value when encrypted.

Without padding, encryption of m is me mod n: the message m is interpreted as an integer, then raised to exponent e, and the result is reduced modulo n. If e = 3 and m is short, then m3 could be an integer which is smaller than n, in which case the modulo operation is a no-operation. In that case, you can just compute the cube root of the value you have (cube root for plain integers, not modular cube root).

Further, the last attack has a simple extension working for short $m$ slightly wider than $n^{1/e}$; we are given $c=m^e\bmod n$ and can find by enumeration $k$ such that $k⋅n+c$ is an $e$th power; then $m=(k⋅n+c)^{1/e}$.
–
fgrieuMar 21 '13 at 12:02